257 lines
6.4 KiB
Nix
257 lines
6.4 KiB
Nix
{ config, pkgs, lib, ... }: {
|
|
imports = [
|
|
./fractal.nix
|
|
../../roles/server.nix
|
|
../../roles/homeserver.nix
|
|
];
|
|
|
|
system.stateVersion = "15.09";
|
|
networking.hostId = "0702dbe9";
|
|
nixpkgs.overlays = [ (self: super: {
|
|
openjdk8-bootstrap = super.openjdk8-bootstrap.override {
|
|
gtkSupport = false;
|
|
};
|
|
}) ];
|
|
|
|
services.nginx = let
|
|
cert = config.services.acme-sh.certs.wildcard-yori-cc;
|
|
sslCertificate = cert.certPath;
|
|
sslCertificateKey = cert.keyPath;
|
|
in {
|
|
enable = true;
|
|
recommendedOptimisation = true;
|
|
recommendedTlsSettings = true;
|
|
recommendedProxySettings = true;
|
|
recommendedGzipSettings = true;
|
|
virtualHosts."unifi.yori.cc" = {
|
|
onlySSL = true;
|
|
inherit sslCertificate sslCertificateKey;
|
|
locations."/" = {
|
|
proxyPass = "https://[::1]:8443";
|
|
proxyWebsockets = true;
|
|
extraConfig = ''
|
|
proxy_ssl_verify off;
|
|
proxy_ssl_session_reuse on;
|
|
'';
|
|
};
|
|
};
|
|
virtualHosts."frumar.yori.cc" = {
|
|
enableACME = lib.mkForce false;
|
|
forceSSL = lib.mkForce false;
|
|
default = true;
|
|
};
|
|
};
|
|
boot.supportedFilesystems = [ "zfs" ];
|
|
services.yorick.torrent-vpn = {
|
|
enable = true;
|
|
name = "mullvad-nl4";
|
|
namespace = "torrent";
|
|
};
|
|
services.plex = {
|
|
enable = true;
|
|
openFirewall = true;
|
|
};
|
|
services.iperf3 = {
|
|
enable = true;
|
|
openFirewall = true;
|
|
};
|
|
services.unifi = {
|
|
enable = true;
|
|
openFirewall = true;
|
|
jrePackage = pkgs.jre8_headless;
|
|
};
|
|
services.victoriametrics = {
|
|
enable = true;
|
|
retentionPeriod = 12;
|
|
};
|
|
services.prometheus = {
|
|
enable = true;
|
|
extraFlags = [ "--web.enable-admin-api" ];
|
|
# victoriametrics
|
|
remoteWrite = [{ url = "http://127.0.0.1:8428/api/v1/write"; }];
|
|
scrapeConfigs = [
|
|
# {
|
|
# job_name = "smartmeter";
|
|
# # prometheus doesn't support mdns :thinking_face:
|
|
# static_configs = [{ targets = [ "192.168.178.30" ]; }];
|
|
# scrape_interval = "10s";
|
|
# }
|
|
{
|
|
job_name = "node";
|
|
static_configs = [{ targets = [ "localhost:9100" ]; }];
|
|
# } {
|
|
# job_name = "unifi";
|
|
# static_configs = [ { targets = [ "localhost:9130" ]; } ];
|
|
}
|
|
# {
|
|
# job_name = "thermometer";
|
|
# static_configs = [{ targets = [ "192.168.178.21:8000" ]; }];
|
|
# }
|
|
# {
|
|
# job_name = "esphome";
|
|
# static_configs = [{ targets = [ "192.168.178.77" ]; }];
|
|
# }
|
|
];
|
|
exporters.node.enable = true;
|
|
# exporters.unifi = {
|
|
# enable = true;
|
|
# unifiAddress = "https://localhost:8443";
|
|
# unifiInsecure = true;
|
|
# unifiUsername = "ReadOnlyUser";
|
|
# unifiPassword = "ReadOnlyPassword";
|
|
# };
|
|
};
|
|
boot.zfs.requestEncryptionCredentials = false;
|
|
networking.firewall.interfaces.wg-y.allowedTCPPorts = [ 3000 9090 8443 ];
|
|
networking.firewall.allowedTCPPorts = [ 1883 5357 443 ];
|
|
networking.firewall.allowedUDPPorts = [ 1883 3702 ];
|
|
services.rabbitmq = {
|
|
enable = true;
|
|
plugins = [ "rabbitmq_mqtt" "rabbitmq_management" ];
|
|
};
|
|
services.grafana = {
|
|
enable = true;
|
|
addr = "0.0.0.0";
|
|
domain = "grafana.yori.cc";
|
|
rootUrl = "https://grafana.yori.cc/";
|
|
extraOptions = {
|
|
AUTH_BASIC_ENABLED = "false";
|
|
AUTH_DISABLE_LOGIN_FORM = "true";
|
|
AUTH_GOOGLE_ENABLED = "true";
|
|
AUTH_GOOGLE_ALLOW_SIGN_UP = "false";
|
|
};
|
|
};
|
|
services.zigbee2mqtt = {
|
|
enable = true;
|
|
settings.availability = true;
|
|
settings.device_options = {
|
|
retain = true;
|
|
legacy = false;
|
|
};
|
|
settings.serial.port = "/dev/ttyUSB0";
|
|
};
|
|
services.home-assistant = {
|
|
enable = true;
|
|
openFirewall = true;
|
|
extraComponents = [
|
|
"default_config"
|
|
"androidtv"
|
|
"esphome"
|
|
"met"
|
|
"unifi" "yeelight" "plex" "frontend"
|
|
"automation" "device_automation"
|
|
];
|
|
config = {
|
|
media_player = [
|
|
{
|
|
platform = "androidtv";
|
|
host = "192.168.2.181";
|
|
name = "shield";
|
|
device_class = "androidtv";
|
|
}
|
|
];
|
|
mobile_app = {};
|
|
default_config = {};
|
|
system_log = {};
|
|
"map" = {};
|
|
|
|
frontend.themes = "!include_dir_merge_named themes";
|
|
automation = "!include automations.yaml";
|
|
homeassistant = {
|
|
name = "Home";
|
|
latitude = "51.84";
|
|
longitude = "5.85";
|
|
elevation = "0";
|
|
unit_system = "metric";
|
|
time_zone = "Europe/Amsterdam";
|
|
};
|
|
};
|
|
};
|
|
age.secrets = {
|
|
grafana.file = ../../../secrets/grafana.env.age;
|
|
transip-key = {
|
|
file = ../../../secrets/transip-key.age;
|
|
mode = "770";
|
|
owner = "nginx";
|
|
group = "nginx";
|
|
};
|
|
};
|
|
systemd.services.grafana.serviceConfig.EnvironmentFile = config.age.secrets.grafana.path;
|
|
services.zfs = {
|
|
trim.enable = false; # no ssd's
|
|
autoScrub = {
|
|
enable = true;
|
|
interval = "*-*-01 02:00:00"; # monthly + 2 hours
|
|
};
|
|
};
|
|
services.samba = {
|
|
enable = false;
|
|
openFirewall = false;
|
|
shares.public = {
|
|
path = "/data/plexmedia";
|
|
browseable = "yes";
|
|
"guest ok" = "yes";
|
|
"hosts allow" = "192.168.178.0/255.255.255.0";
|
|
"writeable" = "yes";
|
|
"force user" = "nobody";
|
|
"force directory mode" = "2777";
|
|
};
|
|
};
|
|
services.samba-wsdd = {
|
|
enable = true;
|
|
interface = "eno1";
|
|
hostname = "NAS";
|
|
};
|
|
services.sonarr = {
|
|
enable = true;
|
|
group = "plex";
|
|
user = "plex";
|
|
openFirewall = true;
|
|
};
|
|
services.radarr = {
|
|
enable = true;
|
|
group = "plex";
|
|
user = "plex";
|
|
openFirewall = true;
|
|
};
|
|
services.znapzend = {
|
|
enable = true;
|
|
pure = true;
|
|
features = {
|
|
zfsGetType = true;
|
|
sendRaw = true;
|
|
};
|
|
zetup = {
|
|
"frumar-new/plexmedia" = {
|
|
plan = "1w=>6h,1m=>1w,1y=>1m,2y=>6m,50y=>1y";
|
|
};
|
|
};
|
|
};
|
|
users.users.plex.packages = with pkgs; [
|
|
ffmpeg
|
|
];
|
|
users.users.yorick.packages = with pkgs; [
|
|
borgbackup
|
|
bup
|
|
fzf
|
|
git-annex
|
|
magic-wormhole
|
|
python3
|
|
ranger
|
|
pyroscope
|
|
rtorrent
|
|
];
|
|
services.acme-sh.certs.wildcard-yori-cc = {
|
|
mainDomain = "*.yori.cc";
|
|
dns = "dns_transip";
|
|
production = true;
|
|
postRun = "systemctl reload nginx || true";
|
|
inherit (config.services.nginx) user group;
|
|
};
|
|
systemd.services.acme-sh-wildcard-yori-cc.environment = {
|
|
TRANSIP_Username = "yorickvp";
|
|
TRANSIP_Key_File = config.age.secrets.transip-key.path;
|
|
};
|
|
|
|
}
|